ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] PCI and TSM

2017-01-05 16:33:19
Subject: Re: [ADSM-L] PCI and TSM
From: Skylar Thompson <skylar2 AT U.WASHINGTON DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 5 Jan 2017 13:31:10 -0800 
If you use LTO (and probably the proprietary tape technologies as well),
you get drive encryption for free. The database backups store the
encryption key so you'll have to deal with those separately. You can also
get an out-of-band encryption appliance that talks to the tape drives,
which moves the key management problem outside TSM, but at an increase in
complexity.

As of TSM v6, you can also do SSL encryption between the TSM server and
clients. You would have to leverage some configuration management system to
do the certificate management.

As for data at rest in your disk pool, you could either mitigate that with
client-side encryption, or you could encrypt the filesystem at either the
OS or drive layer (self-encrypting drives don't cost much more than regular
drives).

I don't have experience with PCI, but we have NIST/FIPS requirements that
have been satisfied with tape and hard drive encryption, along with
physical security measures. At some point I'd like to roll out SSL as well
but haven't had time to do it.

On Thu, Jan 05, 2017 at 04:05:24PM -0500, Zoltan Forray wrote:
> I am looking for some guidelines / experience when it comes to the
> requirements for a TSM server to backup client servers that handles PCI
> (Payment Card Industry) data. I have no experience in this area and the
> person pushing/guiding this has very little experience.
>
> Besides the obvious of encrypting the backups from the user/client side,
> how do you handle things like making offsite copies (which are also
> encrypted) using tape?
>
> They are talking about setting up a new TSM server just to backup 12-PCI
> servers, on a separate, isolated network/subnet.  When I mentioned that the
> tape drives used to make the offsite copies is managed by a different TSM
> server, which would have to communicate with this isolated TSM server
> (eventhough the data is transferred via fibre), they didn't think that
> would be acceptable so now we are looking to get another tape drive to
> dedicate to this isolated server.
>
> In my opinion, this is overkill.
>
> Your thoughts/wisdom?
>
> --
> *Zoltan Forray*
> Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator
> Xymon Monitor Administrator
> VMware Administrator (in training)
> Virginia Commonwealth University
> UCC/Office of Technology Services
> www.ucc.vcu.edu
> zforray AT vcu DOT edu - 804-828-4807
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information. For more details
> visit http://infosecurity.vcu.edu/phishing.html

--
-- Skylar Thompson (skylar2 AT u.washington DOT edu)
-- Genome Sciences Department, System Administrator
-- Foege Building S046, (206)-685-7354
-- University of Washington School of Medicine
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ADSM-L] PCI and TSM, Zoltan Forray
Next by Date:  [ADSM-L] TSM DB spaces, David Ehresman
Previous by Thread:  [ADSM-L] PCI and TSM, Zoltan Forray
Next by Thread:  [ADSM-L] TSM DB spaces, David Ehresman
Indexes:  [Date] [Thread] [Top] [All Lists]